Strip incoming headers that contain an underscore. Fixes #819.

changelog.rst

@@ -46,6 +46,8 @@ Security
   ``start_response`` do not contain a carriage return or newline in
   order to prevent HTTP response splitting (header injection), raising
   a :exc:`ValueError` if they do. See :issue:`775`.
+- Incoming headers containing an underscore are no longer placed in
+  the WSGI environ. See :issue:`819`.
 - Errors logged by :class:`~gevent.pywsgi.WSGIHandler` no
   longer print the entire WSGI environment by default. This avoids
   possible information disclosure vulnerabilities. Applications can

src/gevent/pywsgi.py

@@ -1010,18 +1010,23 @@ class WSGIHandler(object):
     def _headers(self):
         key = None
         value = None
+        IGNORED_KEYS = (None, 'CONTENT_TYPE', 'CONTENT_LENGTH')
         for header in self.headers.headers:
             if key is not None and header[:1] in " \t":
                 value += header
                 continue
 
-            if key not in (None, 'CONTENT_TYPE', 'CONTENT_LENGTH'):
+            if key not in IGNORED_KEYS:
                 yield 'HTTP_' + key, value.strip()
 
             key, value = header.split(':', 1)
-            key = key.replace('-', '_').upper()
+            if '_' in key:
+                # strip incoming bad veaders
+                key = None
+            else:
+                key = key.replace('-', '_').upper()
 
-        if key not in (None, 'CONTENT_TYPE', 'CONTENT_LENGTH'):
+        if key not in IGNORED_KEYS:
             yield 'HTTP_' + key, value.strip()
 
     def get_environ(self):

src/greentest/greentest.py

@@ -36,7 +36,7 @@ from gevent.hub import _get_hub
 from functools import wraps
 import contextlib
 import gc
-import six
+import _six as six
 
 
 PYPY = hasattr(sys, 'pypy_version_info')

src/greentest/test__all__.py

 """Check __all__, __implements__, __extensions__, __imports__ of the modules"""
 from __future__ import print_function
-import six
+import _six as six
 import sys
 import unittest
 import types

src/greentest/test__backdoor.py

@@ -2,7 +2,7 @@ import greentest
 import gevent
 from gevent import socket
 from gevent import backdoor
-from six import xrange
+from _six import xrange
 
 
 def read_until(conn, postfix):

src/greentest/test__event.py

 import greentest
 import gevent
 from gevent.event import Event, AsyncResult
-from six import xrange
+from _six import xrange
 
 DELAY = 0.01
 

src/greentest/test__exc_info.py

 import gevent
 import sys
 import greentest
-import six
+import _six as six
 
 if not six.PY3:
     sys.exc_clear()

src/greentest/test__execmodules.py

 from greentest import walk_modules, BaseTestCase, main, NON_APPLICABLE_SUFFIXES
-import six
+import _six as six
 
 
 class TestExec(BaseTestCase):

src/greentest/test__order.py

 import gevent
 import greentest
-from six import xrange
+from _six import xrange
 
 
 class appender(object):

src/greentest/test__os.py

 import sys
-import six
+import _six as six
 from os import pipe
 from gevent import os
 from greentest import TestCase, main

src/greentest/test__pool.py

@@ -6,7 +6,7 @@ from gevent.queue import Queue
 import greentest
 import random
 from greentest import ExpectedException
-import six
+import _six as six
 
 import unittest
 

src/greentest/test__pywsgi.py

@@ -1363,6 +1363,21 @@ class TestInvalidEnviron(TestCase):
         read_http(fd)
 
 
+class TestInvalidHeadersDropped(TestCase):
+    validator = None
+    # check that invalid headers with a _ are dropped
+
+    def application(self, environ, start_response):
+        self.assertNotIn('HTTP_X_AUTH_USER', environ)
+        start_response('200 OK', [])
+        return []
+
+    def test(self):
+        fd = self.makefile()
+        fd.write('GET / HTTP/1.0\r\nx-auth_user: bob\r\n\r\n')
+        read_http(fd)
+
+
 class Handler(pywsgi.WSGIHandler):
 
     def read_requestline(self):

src/greentest/test__select.py

-import six
+import _six as six
 import sys
 import os
 import errno

src/greentest/test__socket.py

@@ -7,7 +7,7 @@ import traceback
 import time
 import greentest
 from functools import wraps
-import six
+import _six as six
 
 # we use threading on purpose so that we can test both regular and gevent sockets with the same code
 from threading import Thread as _Thread

src/greentest/test__socket_dns.py

 #!/usr/bin/python
 # -*- coding: utf-8 -*-
-import six
+import _six as six
 import re
 import greentest
 import socket
@@ -8,7 +8,7 @@ from time import time
 import gevent
 import gevent.socket as gevent_socket
 from util import log
-from six import xrange
+from _six import xrange
 
 
 resolver = gevent.get_hub().resolver

src/greentest/test__subprocess_interrupted.py

 import sys
-from six import xrange
+from _six import xrange
 
 
 if 'runtestcase' in sys.argv[1:]:

src/greentest/test__threadpool.py

@@ -7,7 +7,7 @@ import gevent.threadpool
 from gevent.threadpool import ThreadPool
 import gevent
 from greentest import ExpectedException
-import six
+import _six as six
 import gc
 
 

src/greentest/test_hub_join_timeout.py

@@ -2,7 +2,7 @@ from contextlib import contextmanager
 import gevent
 from gevent.event import Event
 from time import time
-from six import xrange
+from _six import xrange
 
 
 SMALL = 0.1

src/greentest/test_queue.py

@@ -9,7 +9,7 @@ try:
     from test import support as test_support
 except ImportError:
     from test import test_support
-from six import xrange
+from _six import xrange
 
 QUEUE_SIZE = 5
 

src/greentest/test_threading_2.py

 # testing gevent's Event, Lock, RLock, Semaphore, BoundedSemaphore with standard test_threading
 from __future__ import print_function
-from six import xrange
+from _six import xrange
 
 setup_ = '''from gevent import monkey; monkey.patch_all()
 from gevent.event import Event

src/greentest/testrunner.py

 #!/usr/bin/env python
 from __future__ import print_function
-import six
+import _six as six
 import sys
 import os
 import glob

src/greentest/util.py

 import sys
 import os
-import six
+import _six as six
 import traceback
 import unittest
 import threading